Apple has made one last major update to its current operating systems addressing a serious security flaw that was being exploited by the spyware Pegasus.
On Monday 13 September 2021 Apple released iOS 14.8 and iPadOS 14.8 alongside updates for macOS Big Sur, macOS Catalina and watchOS all of which appear to address the vulnerabilities that have been exploited by Pegasus for about half a year.
Apple’s support page details the content of the security updates. They include an update to the CoreGraphics framework and an update to the WebKit framework. The New York Times reports that these updates fix a vulnerability related to spyware Pegasus.
The Pegasus security flaw, which was discovered by Citizen Lab, was related to error CVE-2021-30860 in Core Graphics.
The following security risks addressed by the link are outlined by Apple as "Processing a maliciously designed PDF file can lead to the execution of arbitrary code. Apple is aware of a report that this problem may have been actively exploited."
Plus: "The processing of maliciously crafted web content can lead to the execution of arbitrary code. Apple is aware of a report that this problem may have been actively exploited."
The following updates close both gaps that seem to have been exploited for Pegasus:
- iOS 14.8
- iPadOS 14.8
- watchOS 7.6.2
- macOS 11.6 Big Sur
- Security Update 2021-005 for macOS Catalina
- Safari 14.1.2 for Catalina and Mojave
Apple has also updated its malware scanner MRTConfigData. The latest version is number 1.84.
Big Sur users need only update the operating system. Catalina users must download a new version of Safari separately after the security update. The version number has not changed, but the build number is 156126.96.36.199.7.
It is significant that macOS Mojave is missing from this series of updates. There could be two reasons for this: either Apple has now moved the operating version to the Outdated List (since macOS Monterey will come in a few weeks). Alternatively, it may be that the Pegasus gap does not affect macOS Mojave.
Read more about Pegasus:
- iPhones vulnerable to spyware: Amnesty International
- Pegasus iOS hack bypasses Blastdoor to target iPhones
More info from Apple.